Security system with a wireless security device

ABSTRACT

A device includes a security controller to determine whether a wireless security device is authorized to access at least one resource protected by a secure access device based, at least in part, on identification signals that originate from the wireless security device. The security controller is configured to receive location information corresponding to the wireless security device from at least one wireless device. When the wireless security device is authorized to access at least one resource, the security controller is configured to direct the security access device to disable at least one security measure that restricts user access to the at least one resource based, at least in part, on the location information corresponding to the wireless security device.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation application of U.S.Non-Provisional application Ser. No. 14/512,944, filed on Oct. 13, 2014,which claims the priority and benefit of U.S. Non-Provisionalapplication Ser. No. 12/948,587, filed on Nov. 17, 2010, all of whichare incorporated by reference herein in their entirety.

TECHNICAL FIELD

This disclosure relates generally to electronic systems, and, moreparticularly, to security systems utilizing wireless security devices.

BACKGROUND

Many buildings and offices have security systems that selectively allowpersonnel admission through their various entrances. These securitysystems typically have automated locks on their entrances, which can betemporarily deactivated by personnel that are authorized to access thebuildings or offices.

Businesses will often issue authorized personnel a personalidentification number (PIN) or a pass card, for example, having passiveradio-frequency identification (RFID) technology, which can be utilizedto gain access to the buildings or offices. The personal identificationnumber, when entered into the security system, or the pass card, whenswiped across the security system, will temporarily deactivate or unlockthe automated lock for a particular entrance long enough to allow theauthorized personnel access to the building or office.

SUMMARY

This patent application discloses a device includes a securitycontroller to determine whether a wireless security device is authorizedto access at least one resource protected by a secure access devicebased, at least in part, on identification signals that originate fromthe wireless security device. The security controller is configured toreceive location information corresponding to the wireless securitydevice from at least one wireless device. When the wireless securitydevice is authorized to access at least one resource, the securitycontroller is configured to direct the security access device to disableat least one security measure that restricts user access to the at leastone resource based, at least in part, on the location informationcorresponding to the wireless security device.

A system includes a secure access device to control access to protectedresources and a wireless device to identify a location of a wirelesssecurity device in an environment. The system also include a securitycontroller to determine whether the wireless security device isauthorized to access at least one resource protected by the secureaccess device based, at least in part, on identification signals thatoriginate from the wireless security device and the identified locationof the wireless security device in the environment.

A wireless security device includes a controller to determine whether auser is authorized to utilize the wireless security device based, atleast in part, on a biometric input from the user. The wireless securitydevice also includes a wireless transmitter to automatically emit one ormore identification signals when directed by the controller responsiveto the determination. A security system is configured to disable atleast one security measure that restricts user access to protectedresources based, at least in part, on the one or more identificationsignals and a detected location of the wireless security device.

DESCRIPTION OF THE DRAWINGS

FIGS. 1A-1D are block diagram examples of a security system according toembodiments of the invention.

FIGS. 2A-2B and 3A-3B are block diagram examples for utilizing thewireless security device shown in FIG. 1A.

FIG. 4 is a block diagram example of the wireless security device shownin FIG. 1A.

FIG. 5 is a block diagram example of the secure access device accordingto embodiments of the invention.

FIG. 6 is an example operational flowchart for the wireless securitydevice and the security system according to embodiments of theinvention.

DETAILED DESCRIPTION

Security systems can implement one or more security measures to restrictuser access to various protected resources, such as secured equipment orsecured areas of a building or office. A wireless security device or keyfob can automatically transmit identification signals that, whenreceived by the security system, disable at least one of the securitymeasures. The security system and the wireless security device can alsoimplement multiple techniques to help ensure access to the protectedresources is not granted to unauthorized users. Embodiments are shownand described below in greater detail.

FIG. 1A is block diagram example of a security system 100 according toembodiments of the invention. Referring to FIG. 1A, the security system100 includes one or more secure access devices, for example, included ina personal computer 110, an access point 120, an entry device 130,and/or a security control unit 140, which can selectively restrictaccess to protected resources. For instance, the secure access devicesin the personal computer 110 or the access point 120 can authenticate auser, e.g., through a user log-on procedure, before allowing the user toutilize its processing resources. When the entry device 130 includes asecure access device, the entry device 130 can authenticate personalthat are authorized to utilize an entrance 135 to a secured area, suchas a building or an office.

A wireless security device 400 includes a wireless transceiver 410 thatcan wirelessly communicate with one or more of the secure access devicesand prompt them to disable security measures that restrict access totheir protected resources. For example, the wireless security device 400can transmit or emit identification signals that direct the secureaccess devices to disable their respective security measures. Althoughthe wireless security device 400 is shown in FIG. 1A as a key fob-typedevice, in some embodiments, it or the related functionality can beintegrated into and/or downloaded onto other electronic devices, e.g.,mobile phones or handsets, laptop computers, digital music players, orany other device that can transmit identification signals to thesecurity system 100.

The wireless security device 400, in some embodiments, can periodicallytransmit the identification signals over a predetermined range from thewireless security device 400. Thus, when the wireless security device400 travels within the predetermined range of a secure access device,the secure access device can receive the identification signal anddisable its corresponding security measure. The length of the delaybetween transmissions, i.e., the frequency of the periodictransmissions, can be sufficiently short to cause the secure accessdevice to keep the security measure disabled, while the secure accessdevice is within the predetermined range of the wireless security device400.

The security system 100 can include a security control unit 140 tocommunicate with one or more of the secure access devices, such as thoseincluded in the personal computer 110, the access point 120, and theentry device 130. In some embodiments, the security control unit 140 canbe implemented on a server or other network device, and communicate withthe secure access devices over one or more networks. The securitycontrol unit 140 can provide a centralized location to analyzeidentification signals from a wireless security device 400 and controlthe states of the security measures that restrict access to theirprotected resources. Embodiments of the wireless security device 400 andsecurity system 100 will be described below in greater detail.

In some embodiments, the secure access devices or the security controlunit 140 can log access events or attempts to access protectedresources. These logging events can track usage of the protectedresources, for various reasons including billing or maintenance.Although FIG. 1A shows several example applications that can includesecure access devices, it is not meant to be exclusive. In someembodiments, secure access devices can be included in automobiles,controlling security measures, such as car locks and ignition. Forexample, the secure access devices can automatically unlock car locks,activate an ignition, or allow a user to manual perform these tasks. Thesecure access devices can be used to control access to securitycontainers, such as safes, file cabinets, safety deposit boxes, realtorlockboxes, mailboxes, utility enclosures for circuit breakers or meters,hotel rooms, trailers, shipping containers, etc.

FIGS. 1B-1D are top-views of an example implementation for the securitysystem 100 with the wireless security device 400. Referring to FIGS.1B-1D, the security system 100 can be utilized to selectively grantaccess to a secured area 180, for example, through entrance 135, andselectively grant access to secured resources, such as personalcomputers 110 and access point 120.

The security system 100 can include the security control unit 140, whichcan be executed on or included in a security server 155. The securedserver 155, in some embodiments, can be located in a remote locationfrom the secured area 180, such as in a separate remote security room150. The remote security room 150 can be on-site, such as in a room orbuilding near the secured area 180, or located off-site and able tocommunicate with the rest of the security system 100 through one or morenetworks. The security control unit 140 can communicate with otherportions of the security system 100 through a wired or wirelessconnection directly to the secure access devices of the security system100, or through one or more intermediary network nodes, such as theaccess point 120.

Referring to FIG. 1B, the security control unit 140 can control accessto the secured area 180 through the entrance 135 via the entry device130. For example, when the wireless security device 400 has beenactivated by a user and is within a wireless range of the entry device130, the entry device 130 can receive identification signals from thewireless security device 400 and forward them to the security controlunit 140 for analysis and processing. In some embodiments, the securitycontrol unit 140 can determine whether the wireless security device 400is authorized to access the resource protected by the entry device,e.g., access to the secured area 180 through the entrance 135, andtransmit a response to the entry device 130 to indicate whether theentry device 130 is to grant the wireless security device 400 access tothe secured area 180 through the entrance 135. This authorizationdetermination can be performed in various ways, for example, bycomparing the identification signals received by the entry device 130 toan access list (not shown).

The security system 100 can also include a proximity sensor 160, whichcan help avert tailgating of multiple users through the entrance 135.The proximity sensor 160 can be an infrared sensor, such as a passiveinfrared (PIR) sensor, and can detect when an object or person is closeto the wireless security device 400. The proximity sensor 160 cantransmit a proximity detection signal to the security control unit 140,and the security control unit 140 can determine whether to grant thewireless security device 400 access to the secured area 180 based on theidentification signals from the entry device 130 and the proximitydetection signal from the proximity sensor 160.

Referring to FIGS. 1C and 1D, the security system 100 can include one ormore sensor nodes 170, which can be utilized to detect the location ofthe wireless security device 400 in the secured area 180. The sensornodes 170, in some embodiments, can be nodes of a wireless sensornetwork (WSN) having location-finding capabilities, for example,802.15.4a, Zigbee Pro, and other network systems built on standardwireless sensor network technologies, such as 104.15.4. In someembodiments, the wireless sensor network can be used for environmentalmonitoring and control, such as HVAC and lighting control, as well as,detecting a location of the wireless security device 400.

The sensor nodes 170, in some embodiments, can each measure a distanceto the wireless security device 400 and report those distances to thesecurity control unit 140 or directly to a secured access device, suchas the personal computers 110 or the access point 120. The securitycontrol unit 140 or the secured access device can determine a locationof the wireless security device 400 within the secured area 180 based onthe distance measurements from the sensor nodes 170, and in someembodiments, a distance measurement from the secure access devicesthemselves.

The secure access devices, such as the personal computers 110 and theaccess point 120, can receive identification signals from the wirelesssecurity device 400 and forward them to the security control unit 140for analysis and processing. The security control unit 140 can transmita response to the secure access devices, such as the personal computers110 and the access point 120, based on the identification signals andthe location of the wireless security device 400 in the secured area180. For example, when the location of the wireless security device 400is determined to be within a predetermined location of the secured area180, such as within a specified office or cubicle in the secured area180, the security control unit 140 can transmit the response to thesecure access device to grant access to the protected resource.

After access has been granted to the protected resource, the securitycontrol unit 140 can determine the location of the wireless device 400in the secured area 180. This location determination can be madecontinually, periodically, intermittently, randomly, or when prompted byanother device in the security system 100, for example, upon detectionof movement in the wireless security device 400. In some embodiments,the secure access device can signal the security control unit 140 whenthe wireless security device 400 fails to provide an identificationsignal after access has been granted, indicating that the wirelesssecurity device 400 is out-of-range of the secure access device. Thewireless security device 400 can also internally detect motion ormovement, and signal the secure access device and/or the securitycontrol unit 140 to prompt a location determination of the wirelesssecurity device 400. The security system 100 can also include one ormore motion sensors (not shown) that can detect motion within thesecured area 180 and prompt a location determination of the wirelesssecurity device 400 responsive to detecting the motion. When thewireless security device 400 is detected as being outside of apredetermined location in the secured area 180, the security controlunit 140 can signal the personal computer 110 to revoke access to theprotected resource, for example, by logging-out the user.

FIGS. 2A-2B and 3A-3B are block diagram examples for utilizing thewireless security device 400 shown in FIG. 1A. Referring to FIGS. 2A and2B, the wireless access device 400 can transmit identification signalsover a wireless range 401. In some embodiments, the wireless accessdevice 400 can control the magnitude or size of the wireless range 401,for example, by varying the transmit signal strength of the wirelesstransceiver 410. Although the wireless range 401 is shown assubstantially spherical or circular, in some embodiments, the wirelesstransceiver 410 of the wireless security device 400 can bedirectional—projecting wireless signals in a specific direction from thewireless security device 400.

The security system 100 includes the entry device 130 and a lockingmechanism 220, which can be at least partially housed within a wall 210.The wall 210 can also define an entrance 135 and support a door 230 torestrict access to through the entrance 135, for example, when the door230 is coupled to the locking mechanism 220. The entry device 130 cancontrol the locking mechanism 220 to lock or unlock the door 230, whichselectively grants access to the entrance 135, in response to wirelesssignals from the wireless security device 400. Although FIGS. 2A and 2B,show a door 230 as restricting access through the entrance 135, in someembodiments, any object that can restrict access to the entrance 135responsive to the entry device 130 and locking mechanism 220.

As shown in FIG. 2A, when the entry device 130 is not within thewireless range 401 of the wireless security device 400, the lockingmechanism 220 can lock the door 230 and deny access through the entrance135. In FIG. 2B, when the wireless security device 400 travels towardsthe entry device 130 and the entry device 130 is within the wirelessrange 401 of the wireless security device 400, the entry device 130 candirect the locking mechanism 220 to unlock the door 230, granting accessthrough the entrance 135. For example, when the entry device 130 iswithin the wireless range 401, the entry device 130 can receiveidentification signals from the wireless security device 400 that promptthe entry device 130 to have the locking mechanism 220 unlock the door230. In some embodiments, the door 230 can open automatically responsiveto the entry device 130, while in other embodiments, an unlock door 230can be manually opened by a user attempting to pass through the entrance135.

In some embodiments, the entry device 130 can include a proximity sensor(not shown) to help avert tailgating of multiple users through the door230. The proximity sensor can be an infrared sensor, such as a passiveinfrared (PIR) sensor, and can detect when multiple users are close tothe door 230. When multiple users are close to the door 230, the entrydevice 130 can provide an alert, such as an audible or visualpresentation, that indicates to the users that too many users are nearthe door 230. The entry device 130 can also disable access through theentrance 135 until the excess users move away from the door 230 based onthe detection by the proximity sensor.

Referring to FIGS. 3A and 3B, similar to as shown in FIGS. 2A and 2B,the wireless access device 400 can transmit identification signals overa wireless range 401. The security system 100 includes a personalcomputer 110 having a secure access device 310 to restrict or provideaccess to at least some of the functions and/or resources of thepersonal computer 110.

In FIG. 3A, when the personal computer 110 is not within the wirelessrange 401 of the wireless security device 400, the secure access device310 can restrict access to at least some of the functions and/orresources of the personal computer 110. The wireless range 401 can be amaximum distance wireless signals are detectable from the wirelesssecurity device 400. For example, the secure access device 310 can forceone or more users to be logged off of the personal computer 110 when thewireless security device 400 is out-of-range of the secure access device310. In some embodiments, when the personal computer 110 is not withinthe wireless range 401 of the wireless security device 400, the secureaccess device 310 can elect to not automatically provide access to thepersonal computer 110.

In some embodiments, the secure access device 310 can also have a securerange 402. When the wireless security device 400 is not within thesecure range 402 of the secure access device 310, the secure accessdevice 310 can restrict access to at least some of the functions and/orresources of the personal computer 110. Since, in some embodiments, thesecure access device 310 can receive wireless signals from the wirelesssecurity device 400 when the wireless security device 400 is outside ofthe secure range 402, the secure access device 310 may elect to provideaccess based on a location of the wireless security device 400.

There are several ways the secure access device 310 can detect thelocation of the wireless security device 400. The secure access device310 can implement a wireless link with the wireless security device 400and detect a distance the wireless security device 400 is from thesecure access device 310 based on a signal strength analysis of thewireless link. For instance, the secure access device 310 can measure astrength of wireless signaling with the wireless security device 400 todetect a distance the wireless security device 400 is from the secureaccess device 310. In some embodiments, the wireless link between thesecure access device 310 and the wireless security device 400 canutilize multiple frequency bands, such as 300-400 MHz UHF, 800 MHz and2.4 GHz bands, and measure the signal strength on each frequency,possibly several times in each direction, to provide an accuratemeasurement of the distance between the secure access device 310 and thewireless security device 400.

In some applications, such as in when an environment has adjoiningworkstations or cubicles, the distance the wireless security device 400is from the secure access device 310 is less important than the actuallocation of the wireless security device 400 within the environment.When the secure access device 310 can have access to multiple receiverslocated in the environment, as shown and described above in FIGS. 1B-1D,the location of the wireless security device 400 in the environment canbe detected. The multiple receivers, in some embodiments, can be nodesof a wireless sensor network (WSN) having location-finding capabilities,for example, 802.15.4a, Zigbee Pro, and other network systems built onstandard wireless sensor network technologies, such as 104.15.4. In someembodiments, the wireless sensor network can be used for environmentalmonitoring and control, such as HVAC and lighting control, as well as,detecting a location of the wireless security device 400.

The multiple receives, in some embodiments, can each measure a distanceto the wireless security device 400 and report those distances to thesecure access device 310 or to the security control unit 140. The secureaccess device 310 or the security control unit 140 can determine alocation of the wireless security device 400 based on the distancemeasurements from the multiple receivers and optionally the secureaccess device 310. When the location of the wireless security device 400is determined to be within the secure range 402 of the secure accessdevice 310, the secure access device 310 can grant the wireless securitydevice 400 access to the personal computer.

In some embodiments, the wireless security device 400 can communicatewith the secure access device 310 and/or security control unit 140 overthe wireless sensor network. For example, the initial challenge to thewireless security device 400 can be issued over the wireless sensornetwork and location determined using the wireless sensor network, but,in some embodiments, additional authentication of the wireless securitydevice 400 can take place over another wireless network, such as WiFi.

In FIG. 3B, when the secure access device 310 is within the wirelessrange 401 of the wireless security device 400 and/or the wirelesssecurity device 400 falls within the range of the secure range 402 ofthe secure access device 310, the secure access device 310 can grantuser access to at least some of the functions and/or resources of thepersonal computer 110. For example, the secure access device 310 candirect the personal computer 110 to automatically log-on at least oneuser. In some embodiments, identification signals from the wirelesssecurity device 400 can identify a particular user that is associatedwith the wireless security device 400 and the secure access device 310can automatically log-on that particular user.

In some embodiments, when the secure access device 310 is within thewireless range 401 of the wireless security device 400, the secureaccess device 310 can remove a login lock. For example, the secureaccess device 310 can assert the login lock and deny one or more usersthe opportunity to log-on to the personal computer 110. The login lockcan disable various peripherals of the personal computer 110, such as akeyboard, mouse, display device, video interface, etc. After the secureaccess device 310 is within the wireless range 401 of the wirelesssecurity device 400, the secure access device 310 can provide the userthe opportunity to manually log-on to the personal computer 110. Thesecure access device 310 can also remove the login lock for all users orfor particular users, such as those users associated with the wirelesssecurity device 400.

In some embodiments, when the secure access device 310 is within thewireless range 401 of the wireless security device 400, the secureaccess device 310 can allow a logged-on user access to particularresources of personal computer 110 that would not be accessible to thelogged-on user without the presence of the wireless access device 400.For example, the secure access device 310 can restrict user access tosecure data, particular programs and applications, or other resourcesavailable to the personal computer 110, while allowing the user tolog-on to the personal computer 110 and access to other programs,applications, resources, and data.

Referring back to FIG. 1A and to FIG. 4, which includes a block diagramexample of the wireless security device 400 shown in FIG. 1A. Thewireless security device 400 includes various features that help toprotect the security system 100 from unauthorized user access, forexample, by authenticating users attempting to utilize the wirelesssecurity device 400 and/or by protecting the wireless communicationbetween the wireless security device 400 and the security system 100.

The wireless security device 400 can authenticate a user of the wirelesssecurity device 400, for example, by including a biometric scanner 420to scan at least a part of a user or detect a behavior of the user forthe biometric input. In some embodiments, the biometric scanner 420 canbe a fingerprint scanner, iris or retina scanner, a bodily fluidscanner, voice recognition system, or any other device that can identifya unique physical and/or behavioral attribute of the user.

The wireless security device 400 can receive a biometric input from thebiometric scanner 420 and compare the biometric input to one or moreknown user profiles 471. In some embodiments, the user profiles 471 canbe stored in a memory device 470 of the wireless security device 400.The wireless security device 400 can include a controller 460 to receivethe biometric input from the biometric scanner 420, access the memorydevice 470 to locate the user profiles 471, and compare the biometricinput to the user profiles 471. In some embodiments, the user profiles471 may be stored in the security control unit 140, and the wirelesssecurity device 400 may send encrypted biometric data to the securitycontrol 140 unit for verification.

When the biometric input matches one or more of the known user profiles471, the wireless security device 400 can become activated, for example,to emit identification signals. The controller 460 can generate theidentification signals, for example, from identification signalinformation 473 stored in the memory device 470. The identificationsignals can be signals that are common to multiple wireless devices,device-specific signals, and/or user-specific signals. After receiving abiometric input that matches a user profile 471, the wireless securitydevice 400 can remain active indefinitely or for a predetermined periodof time. In some embodiments, the security system 100 can signal thewireless security device 400 to become disabled, which can overrideprevious user activation.

When the biometric input fails to match at least one of the userprofiles 471, the wireless security device 400 can become disabled, forexample, by blocking the wireless transceiver 410 from sending orreceiving signals. In some embodiments, the wireless security device 400can remain disabled until the biometric scanner 420 provides thewireless security device 400 a biometric input that matches a known userprofile 471.

The wireless security device 400, in some embodiments, includes motiondetection functionality (not shown), that can detect movement of thewireless security device 400 or of objects nearby the wireless securitydevice 400. After receiving a biometric input that matches a known userprofile 471, the wireless security device 400 can remain active based onthe input received from the motion detection functionality. For example,the wireless security device 400 can become disabled when the wirelesssecurity device 400 is moved after a period of inactivity. In anotherexample, the wireless security device 400 can remain activated while inmotion, but become disabled, after coming to rest for a preset period oftime.

The wireless security device 400, in some embodiments, includesproximity detection functionality (not shown), that can detect thepresence of a user near the wireless security device 400. The proximitydetection functionality can include capacitive sensing and/or infraredsensing, for example, a passive infrared (PIR) sensor, which can detectthe presence of a user near the wireless security device 400. Afterreceiving a biometric input that matches a known user profile 471, thewireless security device 400 can remain active based on the inputreceived from the proximity detection functionality. For example, thewireless security device 400 can become disabled when proximitydetection functionality detects the wireless security device 400 isseparated from the user.

When the wireless security device 400 is utilized in conjunction withthe wireless sensor network described above, the wireless securitydevice 400 can remain active based on a detected location of thewireless security device 400 in the environment covered by the wirelesssensor network. For example, when the wireless security device 400leaves the area covered by the wireless sensor network, the wirelesssecurity device 400 can become disabled.

In some embodiments, the wireless security device 400 can takeadditional defensive actions when the biometric input fails to match oneor more of the known user profiles and/or after the wireless securitydevice 400 has been inactive to a predetermined period of time. Forexample, the wireless security device 400 can store the biometric inputthat failed to match the known user profiles 471, for example, in thememory device 470. This stored biometric input can subsequently betransferred to the security system 100, for example, through thewireless transmitter 410.

The wireless security device 400 can destroy stored data, such as theknown user profiles 471, encryption data 472, and identification signalinformation 473, when the biometric input fails to match one or more ofthe known user profiles 471 and/or after the wireless security device400 has been inactive to a predetermined period of time. The destructionof data helps to ensure information utilized by the wireless securitydevice 400 to gain access to protected resources is not compromised ifthe wireless access device 400 is mislaid or stolen.

When the biometric input fails to match one or more of the known userprofiles 471 and/or after the wireless security device 400 has beeninactive to a predetermined period of time, the wireless access device400 can transmit the alert signal through the wireless transceiver 410.The alert signal is configured to indicate to the security system 100that the wireless security device 400 may be in possession of anunauthorized user. The security system 100, in response to the alertsignal, can shut down access to the protected resources for all users orfor the particular wireless security device 400.

The security system 100 can identify the location that one or more ofthe secure access devices received the alert signal, allowing securitypersonal to attempt to locate the wireless security device 400. When thewireless security device 400 has access additional networks, forexample, a local area network (LAN), such as a WiFi network, a cellularnetwork, a wide area network (WAN), an 802.16 (Wimax) network, a FreeSpace Optical (FSO) network, or other voice or data networks, and/orinclude global positioning system (GPS) functionality, the wirelessaccess device 400 can transmit the alert signal over the additionalnetworks, in attempt to alert the security system 100 of the attemptedunauthorized access.

The wireless security device 400 can attempt to secure the communicationwith the security system 100 in several ways. For example, the wirelesssecurity device 400 can encrypt the identification signals before theyare transmitted or emitted from the wireless security device 400. Insome embodiments, the controller 460 can access the encryption data 472in the memory device 470 and generate the identification signals basedon the encryption data 472.

The wireless security device 400 can vary the wireless frequency overwhich the identification signals are transmitted. In some embodiments,the identification signal information 473 in the memory device 470 canindicate which wireless frequency for the wireless transceiver 410 totransmit the identification signals. The frequency variation can beperformed based on the day, time, or other temporal indicator. Forexample, the wireless security device 400 can emit identificationsignals over one wireless frequency or channel during normal businesshours, and another wireless frequency during off hours. The frequencyvariation can also be based on the specific wireless security device 400and/or the user of the wireless security device 400.

As discussed above, the wireless security device 400 can periodicallytransmit the identification signals, which can also be utilized as abasis for authenticating the wireless security device 400. The wirelesssecurity device 400 can vary the periodicity or frequency of thetransmission based on temporal indicators, such as time and/or day, orbased on the wireless security device 400 and/or user of the wirelesssecurity device 400. In some embodiments, the identification signalinformation 473 in the memory device 470 can indicate the delay betweenidentification signal transmissions.

The security system 100 can be configured to receive the identificationsignals and authenticate the wireless security device 400 based on thecontents of the identification signal and the mode of communication,e.g., which wireless frequency was utilized for transmission or theperiod of the identification signal transmissions. The security system100 can also determine if the same or similar identification signalswere received on other wireless frequencies, indicating a counterfeitdevice may be attempting access by transmitting the identificationsignals on all channels or wireless frequencies.

In some embodiments, the wireless security device 400 can be activated,but hold-off transmitting identification signals until the wirelesssecurity device 400 is within range of a secure access device of thesecurity system 100. For example, the secure access device can emit aproximity signal that, when received by the wireless security device400, prompts the wireless security device 400 to begin transmitting theidentification signals. This limits where the wireless security device400 transmits the identification signals, and helps to avoideavesdropping on the identification signals by unauthorized users. Insome embodiments, the proximity signal emitted by the security system100 can have the same or similar security features as those discussedabove with the identification signals, such as being encrypted andhaving varied wireless frequency and transmission periodicity.

To help reduce power consumption, the wireless security device 400, whenactivated, can periodically transmit a “ping” signal to initiate a userauthentication session. The ping signal can be short wireless signal,for example, a radio frequency signal that can be detected anddiscriminated from noise and/or interfering signals. In someembodiments, the ping can include a unique data sequence and can be thesame for all wireless security devices 400, or can have characteristicsthat are unique to a particular wireless security device 400 or a groupof wireless security devices 400. The secure access device can receivethe ping and respond with a request to begin the authentication processwith the wireless security device 400.

The wireless security device 400 and the security system 100 can alsoperform an initial handshake or exchange of signals or datagrams toensure the wireless security device 400 is authentic. The handshake canbe initiated by either the wireless security device 400 or the securitysystem 100 and can include a request by the security system 100 for aunique response. The wireless security device 400 can generate theunique response based on the information in the request from thesecurity system 100, and possibly information stored in the wirelesssecurity device 400 and/or the mode of communicating the request, suchas the wireless transmission frequency. The security system 100 cananalyze the unique response received from the wireless security device400 to determine whether the wireless security device 400 is authentic.The security system 100 can also periodically and/or intermittentlyrequest a follow-up handshake for additional security.

In some embodiments, the wireless security device 400 can includemultiple wireless transceivers that can be utilized to implement thedifferent stages of authentication processes—initiation, locationdetection, and authentication. For example, as discussed above,initiation of the authentication process by either the wireless securitydevice 400 or the secure access device can utilize a wirelesstransceiver that has low-power consumption to help save battery life. Tohelp the secure access device determine a location of the wirelesssecurity device 400, the wireless access device 400 may utilize adifferent wireless transceiver, for example, that can communicate with awireless sensor network. Finally during authentication, the wirelesssecurity device 400 can utilize yet another wireless transceiver thatallows for additional security or encryption, for example, that cancommunicate over a WiFi network. In some embodiments, any of thesewireless transceivers can be utilized for any of the different stages ofauthentication processes.

The security system 100 can also include the security control unit 140,which can allow for an additional layer of defense against unauthorizedaccess. The security control unit 140 can communicate with one or moreof the secure access devices, such as those included in the personalcomputer 110, the access point 120, and the entry device 130. Thesecurity control unit 140 can provide a centralized location to analyzeidentification signals from the wireless security device 400 and controlthe states of the security measures that restrict access to theirprotected resources.

By centralizing the authentication of the wireless security device 400,the security system 100 can secure any information utilized indetermining when identification signals are received from an authenticwireless security device 400. For example, the security control unit 140can be stored in a secured room within a building or at a remotelocation, and thus a theft of a personal computer 110, the access point120, and the entry device 130, may not compromise any access informationutilized to allow the user of the wireless security device 400 access toprotected resources.

The centralized authentication of the wireless security device 400 canalso allow for layered security. The security control unit 140 would beable to tell when a wireless security device 400 was currently accessingone protected resource and attempting to access another protectedresource in a physically distinct regions or spaces. For instance, whenthe wireless security device 400 is currently accessing the personalcomputer 110 located in an office and also attempting to access thebuilding, the security control unit 140 can determine at least one ofthe accesses is being performed by a counterfeit device.

The wireless security device 400 can include input devices 430 thatallow a user to manually activate, disable, or send an alert, forexample, by actuating buttons 431-433, respectively. In someembodiments, the manual activation, disablement, and/or alert can beachieved when the user has already been authenticated through thebiometric input process described, and/or by actuating the buttons 431,432, and/or 433 in a predetermined pattern. Although FIG. 1A shows theinput devices 430 as a set of buttons, in some embodiments, the inputdevices 430 can be a touch screen device, a roller ball or mouse device,audio recognition device, or any other device that allows a user topresent a manual input to the wireless security device 400.

The wireless security device 400 can include output devices 480 toprovide visual and/or audio indications to the user of the wirelesssecurity device 400. The visual and/or audio indications can identify astate of the wireless security device 400, such as whether it isactivated or disabled, and/or actively transmitting identificationsignals or alert signals. The visual and/or audio indications can alsobe utilized to help a user locate a missing device, for example, bypresenting an auditory sound or ring. The output devices 480 can includelights, speakers, visual displays, or any other visual and/or audiodevice that can provide an output perceptible by the user.

FIG. 5 is a block diagram example of the secure access device 500according to embodiments of the invention. Referring to FIG. 5, thesecure access device 500 includes a wireless transceiver 510 to exchangewireless signals with one or more wireless security devices 400. Thewireless transceiver 510 can pass received wireless signals along to asecurity controller 550 for analysis.

The security controller 550 can analyze received wireless signals based,at least in part, on information stored in the memory device 540. Thesecurity controller 550 can utilize the access information 541 andpossibly the user profiles 542 to determine whether the wireless signalsreceived by the wireless transceiver 510 authenticate a wirelesssecurity device 400 within range of the secure access device 500. Insome embodiments, the security controller 550 can forward the receivedsignals to another device, such as the security control unit 140,through the security system interface 530 for analysis.

The access information 541 can include information on an expected formatof the wireless signals, and an expected mode of communication, e.g.,the frequency of the wireless signals and the delay between the periodictransmissions. The user profiles 542 can include information onparticular users or classes of users that can access or that are deniedaccess to resources protected by the secure access device 500. Theclasses of users can be a subset or group of one or more users that havecommon access privileges, which can be set arbitrarily or based on somecommon characteristic.

When the wireless signals indicate that the wireless security device 400is authentic, the security controller 550 can direct the lockingmechanism 520 to disable one or more security measures. For example,when the locking mechanism 520 is locking an access point 120, thelocking mechanism 520 can enable the access point 120 to provide accessto a network to at least the user associated with the wireless securitydevice 400.

FIG. 6 is an example operational flowchart 600 for the wireless securitydevice and the security system according to embodiments of theinvention. Referring to FIG. 6, in a first block 610, the wirelesssecurity device 400 can be configured to capture a biometric input of auser. In some embodiments, the wireless security device 400 can includea biometric scanner 420 to capture the biometric input of a user. Thebiometric scanner 420 can be a fingerprint scanner, iris or retinascanner, a bodily fluid scanner, voice recognition system, or any otherdevice that can identify a unique physical and/or behavioral attributeof the user.

In a next block 620, the wireless security device 400 can be configuredto determine whether the user is authorized to utilize the wirelesssecurity device 400 based, at least in part, on a biometric input of theuser. In some embodiments, the wireless security device 400 can beconfigured to authorize the user to utilize the wireless security devicewhen the biometric input at least substantially matches one or morepredefined user profiles stored in the wireless security device 400.

In a next block 630, the wireless security device 400 can be configuredto periodically transmit one or more identification signals when theuser is authorized. The one or more identification signals can beconfigured to prompt a security system 100 to disable at least onesecurity measure that restricts user access to resources protected bythe security system 100. The security system 100 can be configured toautomatically re-engage the at least one security measure when thesecurity system 100 is outside a transmission range of the wirelesssecurity device 400.

In a next block 640, the wireless security device 400 can be configuredto disable the wireless security device 400 from periodicallytransmitting the one or more identification signals when the user is notauthorized to utilize the wireless security device 400. In someembodiments, the wireless security device 400 can transmit one or morealert signals instead of the identification signals. The alert signalscan be configured to prompt the security system 100 to lock access tothe protected resources for the wireless security device 400.

One of skill in the art will recognize that the concepts taught hereincan be tailored to a particular application in many other ways. Inparticular, those skilled in the art will recognize that the illustratedembodiments are but one of many alternative implementations that willbecome apparent upon reading this disclosure.

The preceding embodiments are examples. Although the specification mayrefer to “an”, “one”, “another”, or “some” embodiment(s) in severallocations, this does not necessarily mean that each such reference is tothe same embodiment(s), or that the feature only applies to a singleembodiment.

What is claimed is: 1-20. (canceled)
 21. A wireless security devicecomprising: a controller; a wireless transceiver coupled to thecontroller, the wireless transceiver for sending and receivinginformation from and to the controller; at least one user interfacecoupled to the controller, the at least one user interface for receivinguser input for processing by the controller; and a memory device coupledto the controller, the memory device for storing biometric informationfor user authentication, wherein the wireless security device isconfigured to send, by the wireless transceiver, encrypted biometricinformation stored in the memory device to a security control unit. 22.The wireless security device of claim 21, further configured to send, bythe wireless transceiver, encrypted information to a security controlunit based on a location of the wireless security device.
 23. Thewireless security device of claim 22, wherein the location of thewireless security device is determined by at least one sensor node. 24.The wireless security device of claim 21, wherein the at least one userinterface includes at least one of an output device, a biometricscanner, and an input device.
 25. the wireless security device of claim21, wherein the memory device is for storing a plurality of userprofiles, the user profiles including biometric information.
 26. Thewireless security device of claim 21, wherein the memory device is forstoring encryption data for secure communication with a security controlunit.
 27. The wireless security device of claim 21, further configuredto send, by the wireless transceiver, encrypted information to asecurity control unit based on a proximity of the wireless securitydevice to a proximity sensor.
 28. A security system comprising: asecurity control unit; an input coupled to the security control unit,the input for receiving wireless communication from a wireless securitydevice; a secure location, the secure location comprising an accesscontrol mechanism that is controlled by the security control unit. 29.The security system of claim 28, further comprising at least one sensornode, the at least one sensor not for calculating a distance of thewireless security device from the at least one sensor node.
 30. Thesecurity system of claim 28, further comprising a plurality of sensornodes, the plurality of sensor nodes for determining a location of thewireless security device.
 31. The security system of claim 28, furthercomprising a proximity sensor, the proximity sensor for detecting aproximity of the wireless security device to the proximity sensor. 32.The security system of claim 28 wherein the secure location is aphysical location, the physical location including an entrance and alocking mechanism to control physical access to the physical location.33. The security system of claim 28, wherein the secure location is acomputing device.
 34. The security system of claim 28, wherein thesecure location is a network, the network accessed by an access point inoperative communication with the security control unit.
 35. The securitysystem of claim 28, wherein the security control unit is located in aphysically separate location from the secure location.